From owner-freebsd-questions@FreeBSD.ORG Fri Dec 19 09:35:35 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BE3C16A4CE for ; Fri, 19 Dec 2003 09:35:35 -0800 (PST) Received: from lv.raad.tartu.ee (lv.raad.tartu.ee [194.126.106.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C6D743D45 for ; Fri, 19 Dec 2003 09:35:33 -0800 (PST) (envelope-from toomas.aas@raad.tartu.ee) Received: Message by Barricade lv.raad.tartu.ee with ESMTP id hBJHZVWw026735; Fri, 19 Dec 2003 19:35:31 +0200 Message-Id: <200312191735.hBJHZVWw026735@lv.raad.tartu.ee> Received: from INFO/SpoolDir by raad.tartu.ee (Mercury 1.48); 19 Dec 03 19:35:31 +0200 Received: from SpoolDir by INFO (Mercury 1.48); 19 Dec 03 19:35:31 +0200 From: "Toomas Aas" Organization: Tartu City Government To: "Robert Eckardt" Date: Fri, 19 Dec 2003 19:35:27 +0200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Priority: normal In-reply-to: <20031216191701.M14568@Robert-Eckardt.de> cc: questions@freebsd.org Subject: Re: DOS of named X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2003 17:35:35 -0000 Hi! > what measures can I take against this irregular appearing Denial-Of-Service > attacks of named which is filling my logfiles (messages, daemon, all.log) > with messages like "sysquery: no addrs found for root NS" for minutes > at a rate of 4000 lines/sec? Here's what I have done on my FreeBSD 4.8 machines. Put the following in /etc/namedb/named.conf: -----------------------< cut >----------------------- logging { channel everything { file "/var/log/named" versions 5 size 4m; severity info; print-category no; print-severity yes; print-time yes; }; category default { everything; }; }; -----------------------< cut >----------------------- This, as you understand, configures named to log it's messages to file /var/log/named (bypassing syslogd), doesn't allow the log file to grow larger than 4 MB and keeps 5 previous versions of the file. The errors still happen, but at least your /var partition won't fill up. > Thus, nothing to solve the problem or to find the true cause. I've gone through the same path you have, with similar results. It is interesting to mention that I have three servers (now 4.8-RELEASE-p13) running named (from base system) on FreeBSD, two of them using ISP A and one using ISP B (respective ISP's name servers configured as forwarders in named.conf). The problem happens with both servers behind ISP A, but has never happened to the one behind ISP B. -- Toomas Aas | toomas.aas@raad.tartu.ee | http://www.raad.tartu.ee/~toomas/ * Tell me what you need, and I'll tell you how to get along without it.